Method and system for creating and utilizing managed roles in a directory system

ABSTRACT

Role is a comprehensive grouping mechanism. In a client-server directory system, roles transfer some of the complexity to the directory server. A role is defined by its role definition entry. Any client with appropriate access privileges can discover, identify and examine any role definition. A “managed” role is one that can be configured to provide search results similar to those available with a static grouping mechanism, i.e., to create a group entry that contains a list of members. Managed roles allow a user to create an explicit enumerated list of members. A managed role is a label stored with a directory entry.

This application is a continuation of U.S. patent application Ser. No.09/867,789 entitled “Method of Creating and Utilizing Managed Roles in aDirectory System”, filed May 29, 2001 now U.S. Pat. No. 6,785,686.

TECHNICAL FIELD

The disclosed system and method relate generally to providing directoryservices in a centralized or distributed computing environment, and moreparticularly, to a directory service that uses methods of groupingentries.

BACKGROUND

Electronic directories or directory servers are becoming important toolsto manage network resources. The term Directory Service refers to acollection of software, hardware, and processes that store informationabout an enterprise or an organization and make the informationavailable to users. A directory service generally includes at least oneinstance of Directory Server and one or more directory client programs.Client programs can access names, phone numbers, addresses, and otherdata stored in the directory. For example, one common directory serviceis a Domain Name System (DNS) server. A DNS server maps computer hostnames to Internet Protocol (IP) addresses. Thus, all of the computingresources (hosts) become clients of the DNS server. The mapping of hostnames allows users of an organization's computing resources to easilylocate computers on an organization's network by remembering host namesrather than numerical IP addresses. It should be noted, however, thatwhile the DNS server stores only two types of information, namely, namesand IP addresses, a true directory service stores virtually unlimitedtypes of information.

A directory server forms a central information repository that providesdata warehousing functionality to access users and groupings to whichusers belong. By thus becoming a central point where network, securityand application services are able to obtain information, the directoryhas emerged as a key component of an integrated distributed computingenvironment. Additionally, the centralization of information has enabledease of administering the information. Several uses of directories areknown: (1) as naming service e.g., Directory Naming Service for Internethost addresses; (2) as user registry for storing information of allusers in a system of interconnected computers; and (3) a Yellow Pagesservice, which allows E-mail clients to perform look-up to finddestination addresses.

A directory service uses a namespace, which provides for efficientreferencing and retrieval of collections of related information, such asa person's name, organization, physical address, and e-mail address.Corporate directories have been evolving independent of any standardizedprotocol to access them. On corporate Local Area Networks (LANs), eache-mail system has its own directory, which is not interoperable withthose of other vendors. On larger systems using TCP/IP, there is nosingle directory standard—certainly not one that is routinely used onthe scale of intranets.

Standardized Directory Access Protocols (DAP) such as the X.500—which isthe International Telecommunication Union (ITU-T) standard fordirectories—are designed to provide a uniform method of accessing thedirectory servers from any application program executing on any computersystem. These protocols are designed to overcome the problems ofincompatible host systems and access procedures. Referring to FIG. 1,applications and users access a directory service by making a request toa Directory User Agent (DUA), which transfers the request to a DirectorySystem Agent (DSA), using the DAP. The directory itself can include oneor more DSAs. The DSAs can either communicate among themselves to sharedirectory information, or can direct the DUA to use a specific DSA. Thislatter mechanism is called a referral. Referrals can happen when DSAsare not set up to exchange directory information, such as in cases whereadministrators did not agree on how to interwork with these components,or due to security concerns.

As shown in FIG. 2, in X.500, there are 17 base object classes such asCountry, Organization, Organizational Unit, Locality, and Person. Theseobject classes can have one or more of the 40 attribute types such asCountry, Organization Name, Organizational Unit Name, Locality Name, andCommon Name. FIG. 3 shows a hierarchically arranged instance of X.500data tree.

X.500 forms the application layer of the well-known 7-layer Open SystemsInterconnection (OSI) protocol stack, and requires a large amount ofmemory and operational overhead. Moreover, X.500 addressing has becomequite complex. In X.500, the namespace is explicitly stated and ishierarchical. Such namespaces require relatively complicated managementschemes. The naming model defined in X.500 is concerned mainly with thestructure of the entries in the namespace, not the way the informationis presented to the user.

The complete set of all information held in a Directory is known as theDirectory Information Base (DIB). It should be noted that not all ofthis information is visible to normal users of the Directory. Referringto FIG. 4, in a Directory User Information Model, an entry holdsinformation about an object of interest to users of the Directory. These(Directory) objects might typically be associated with, or be some facetof, real world things such as information processing systems ortelecommunications equipment or people. So there can be a Directoryentry for an X.400 Message Transfer Agent (MTA), and another one for themanager. However, it is very important to note that Directory objects donot necessarily have a one-to-one correspondence to real world things.This has typically caused a lot of confusion to non-experts, many ofwhom assume that every entry in the Directory contains all the relevantinformation about one real world thing. This is not necessarily so.Directory objects, and hence entries, can have a one-to-onecorrespondence with real world things, or can have a many-to-one orone-to-many relationship with real world things. For example, aDirectory object/entry may be a mailing list containing the names ofmany real people (one-to-many correspondence). Alternatively, a realperson may be represented in the Directory as both a residential personobject/entry and an organisational person object/entry (many-to-onecorrespondence). In the latter case, the organisational person Directoryentry would hold information that is relevant to describing the personin their working environment, holding their office room number, internaltelephone extension number, electronic mail address, and the departmentetc., the residential person Directory entry would describe the personin their residential capacity, holding their home postal address andhome telephone number etc. Objects that have similar characteristics areidentified by their object class. Every object entry in the Directory isa member of at least one object class. So, for example, there is an‘organizational person’ object class for organizational person entries,and a ‘residential person’ object class for residential person entries.This organizational person object will be explained in detail below.

Also shown in FIG. 4 are entries. Every entry in an X.500 DirectoryInformation Tree (DIT) is a collection of attributes, each attributecomposed of a type element and one or more value elements. Because itwas designed to accommodate all types of directories, in case of theX.500, the DAP has become too general to be easily configured to workwith specialized applications. These reasons have resulted in a limiteduser acceptance of X.500. Each piece of information that describes someaspect of an entry is called an attribute. An attribute comprises anattribute type and one or more attribute values. An example of anattribute type might be ‘telephone number’ and an example of a telephonenumber attribute value might be ‘+91 861 324 251’.

The Lightweight Directory Access Protocol (LDAP) has emerged as an openstandard from the Internet Engineering Task Force (IETF) to providedirectory services to applications ranging from e-mail systems todistributed system management tools. LDAP was created as a protocol foraccessing X.500 directories so that clients could run on desktopcomputers without affecting performance. LDAP is based on aclient-server model in which a client makes a TCP/IP connection to aDirectory server, sends requests, and receives responses. The LDAPinformation model, in particular, is based on the concept of a “targetentry”, which contains information about some object. In thisapplication, an unqualified reference to an “entry” means that areference is made to a “target entry.”

Entries are typically organized in a specified tree structure, and eachentry is composed of attributes. In an LDAP-compliant directory server,each user and group in an organization or an enterprise is representedby a Distinguished Name (DN) attribute. As defined in Request forComment (RFC) 1779, DN attribute is a text string that containsunambiguous identifying information for an associated user, group, orobject. DNs are used when a change is made to a user or group directoryentry. Directory server entries are typed by an objectclass attribute,which allows searching for those entries with a particular value to theobjectclass attribute. To search a company's sales department of aUnited States corporation, for example, an Directory server query in theUniform Resource Locator (URL) format:

-   -   ldap://ldap.corp.com/ou=sales,o=corp,c=us??sub?objectclass=person

This returns all person entries in the directory tree below the entrynamed by Organizational Unit Name=sales; Organization Name=corp; andCountry Name=US. After entries are made for a directory, administrationof these entries can be made easier by grouping these entries.

As shown before in FIG. 3, typical directory tree organizes entries onlyhierarchically. This structure may not be optimal for short-lived orchanging organizations where groupings can be made based on an arbitraryuser attribute. Moreover, in a typical directory system, a clientapplication is tasked with determining the type of groupings desired andproviding the logic for search requests to achieve the desired results.One could garner some efficiencies in the client application logic bypushing some complexity to the server side. But there is no known systemthat provides such a solution. Accordingly, there is discovered a needfor an advancement in the art.

SUMMARY

An X.500 (or LDAP) style directory service provides a standard interfacefor client software to retrieve information about entities (usuallypeople and network elements) from a centrally managed data repository.For example, an e-mail server application may want to retrieve thee-mail address for a person by supplying the person's full name. Atraditional directory server can apply certain semantics to theinformation it holds, based on client identity. For example, rights tomodify a password attribute may only be granted to the user's ownpassword and to an administrator from the same department as the user.However, extending this type of enhanced interpretation of directorydata in the context of a system function outside the directory serverproved problematic.

As an example, consider a web accounting application that needs torestrict the creation of purchase orders to purchasing department staff,unless the order value is less than $1000 in which case managers canplace orders. With a traditional Directory Service the application canchoose to store an attribute for each person entry which dictates themaximum value purchase order that person may create. This scheme has thedisadvantage that the logic behind the assignment of order value to eachperson may be lost.

In addition, if the purchase policy should change, the value must bechanged for each and every person. So, another approach would be tostore a description of the purchasing polity in the directory server, orperhaps externally. This scheme retains the policy logic, and allowseasy policy changes, however the accounting software now has to“understand” the directory structure and schema. In addition, when thereare many such applications, each one will now have its own policymechanism most likely all incompatible meaning increased training andsupport costs.

The presently disclosed mechanisms—roles and class of service—seek toprovide directory applications like the purchasing example above with amechanism by which they can delegate to the directory serverresponsibility for implementing their policies. Thus the benefits of acentrally managed directory service (one management mechanism, tightcontrol can be maintained) are retained while allowing directoryapplications to flexibly implement a range of policies.

For example, consider the case of a corporate purchase implemented in asystem that provides for roles and class of service. One can define arole signifying ability to enter purchase orders. This might have afilter like “employee type=manager or department=purchasing”. Thepurchasing application now needs only to compare the role attribute on agiven person's entry in the directory with the name of the “canpurchase” role to determine if a purchase request is valid. In addition,one might define a class of service which generates an attributeindicating the maximum purchase order value for every employee. Thedefinition can be such that employees without the “can purchase” rolehave a zero value; employees with the can purchase role and who are notin the purchasing department have value 1000; and those with the “canpurchase role” which are in the purchasing department have value1000000000. Note that in this example no real data is stored in userentries—the directory server generates the data from the policiesembodied in the role and class of service definitions. The followingtable shows some differences between approaches:

Central Ease of Client Management Maintenance Complexity Static groupsYes No Medium Dynamic groups Yes Yes High External No Possibly veryApplication Logic high Roles and COS Yes Yes Low

Accordingly, in an aspect, the present disclosure is directed towardgrouping entries in a directory server. In particular, two methods ofgrouping entries and sharing attributes between entries are disclosed.These are “roles” and “class of service.”

Role is a comprehensive grouping mechanism. In a client-server directorysystem, roles transfer some of the complexity to the directory server. Arole is defined by its role definition entry. Roles enable applicationsto locate the roles of an entry, rather than select a group and browsethe members list. Additionally, roles allow for support of generatedattribute values, and directory server-performed membership verificationfor clients. By changing a role definition, a user can change an entireorganization with ease. Any client with appropriate access privilegescan discover, identify and examine any role definition. Any client withan appropriate access privilege can add a new role definition, or modifyexisting role definitions. Further, role definitions can be replicatedin a distributed environment. Each role has entries called “members.”Members of a role are said to “possess” the role.

A client application can perform the following operations on roles.

-   -   (1) Enumerate the members of the role;    -   (2) Obtain an enumerated list of role members, which can be        useful for resolving queries for group members quickly;    -   (3) Determine whether a given entry possesses a particular role;    -   (4) Determine the roles possessed by an entry, which can help a        client-side application to determine whether the entry possesses        the target role;    -   (5) Enumerate all the roles possessed by a given entry;    -   (6) Assign a particular role to a given entry; and    -   (7) Remove a particular role from a given entry.

A client application can check role membership by searching the nsRoleattribute, which is computed by the directory server and therefore isup-to-date. From the point of view of a client application, the methodfor checking membership is uniform and is performed on the server side.

Roles are classified as simple and complex. An example of a simple roleis a Managed role, which allows a user to create an explicit enumeratedlist of members. Managed roles are added to entries using the nsRoleDNattribute. Examples of complex roles include (i) Filtered Roles, (ii)Nested Roles, and (iii) Enumerated Roles.

Briefly stated, the difference between the role types relates to theircapabilities, which depend on the implementation of these devices. Forexample, a managed role is just a label stored with a directory entry,whereas a filtered role is defined by the characteristics of entries. Soone uses a “managed” role when one wants to just “give” or assign a roleto an entry. When one wishes to identify all the entries with somecharacteristic, e.g., everyone who is a manager and works in adesignated building, a filtered role—which uses an LDAP filter in orderto search a designated portion of the directory system and to identifythose entries that possess the characteristics described in filter—isused. Nested roles are those that contain or include other types ofroles. Enumerated roles are possessed by an arbitrarily assigned list ofentries that may have nothing in common otherwise.

Filtered roles allow a user to assign entries to the role depending uponthe attribute contained by each entry. In an embodiment, a user assignsentries by specifying an LDAP filter. Entries that match the filter aresaid to possess the role. Nested roles allow a user to create roles thatcontain other roles. The user specifies the roles nested within a nestedrole by using the nsRoleDN attribute. An enumerated role provides anarbitrary list of members each of which possesses the enumerated role.The members that possess an enumerated role need not have any othercommon feature than the fact that they are all enumerated together in aparticular list. Enumerated roles are similar to static groups exceptthat no nesting is allowed within an enumerated role. If an enumeratedrole is possessed by a member which is itself a nested role, then theserver software may take an indefinite action with regard to thatmember. A second difference between enumerated roles and a static groupis that it is illegal to add a member to an enumerated group where thatentry lies outside the subtree specification.

Class of Service (CoS) allows a user to share attributes between entriesin a way that is transparent to an application. This is achieved bygenerating the values of the attributes by a CoS logic at the time of orimmediately prior to the time the entry is transmitted to anapplication, rather than storing the values of the attributes with theattribute itself. In alternative embodiments, the attributes may begenerated at a time well before the time the entry is transmitted to anapplication.

A CoS includes a CoS Definition entry and a Template entry. These twoentries interact to provide attribute values to target entries withintheir CoS “scope” based on the DN of the CoS Definition entry, theattribute value stored in the target entry's CoS Template, and otherfactors. An entry may be within the scope of a CoS Definition entry butmay not be qualified to receive a value from the scheme made up of CoSDefinition and templates. A CoS specifier is an attribute which containsa value. The value of the CoS specifier is the attribute type which mustbe present in the entry and the value of that attribute determines theclass of the target entry. The absence of that attribute may determineif the target entry qualifies for a default value under the scheme.Thus, the presence or absence of the target entry's CoS specifierdetermines whether the target entry qualifies for a value.

The CoS Definition entry, which is stored as an LDAP subentry below thebranch at which it is effective, identifies the type of CoS being used.The Template entry contains a list of attribute values that are shared.Any change made to the template entry's attribute values isautomatically applied to all entries that share the attribute. Dependingon how a Template entry is identified, three types of CoS arecontemplated in this disclosure: Classic CoS, a Pointer CoS, andIndirect CoS. Classic CoS identifies a template entry by both its DN andthe value of one of a target entry's attributes. Pointer CoS identifiesa template entry using only a Template DN. There can be only oneTemplate DN for each pointer CoS. Indirect CoS identifies a templateentry using the value of one of a target entry's attributes, which mustcontain the DN of an existing entry.

Roles and Classic CoS can be used together to provide role-basedattributes, which appear on a target entry because the target entrypossesses a particular role with an associated CoS template.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features of the principles disclosed herein are morereadily understood from the following detailed description and theaccompanying drawings where like numbers designate like parts, whichdrawings are incorporated in and constitute a part of thisspecification, and wherein,

FIG. 1 is a client-server architecture depicting a directory serverinteracting with a directory user agent;

FIG. 2 shows the relationship between some X.500 object classes;

FIG. 3 shows a hierarchically arranged instance of X.500 data tree;

FIG. 4 depicts a directory information model;

FIG. 5 is a block diagram that illustrates a computer system upon whichan embodiment of the disclosed system and method can be implemented;

FIG. 6 depicts the relationship between Object Classes and AttributeTypes/Syntax to Entries;

FIG. 7 illustrates a managed role definition;

FIG. 8 illustrates an instantiation of a managed role;

FIG. 9 depicts a filtered role definition;

FIG. 10 shows a nested role definition;

FIG. 11 shows an enumerated role definition;

FIG. 12 illustrates the concept of scope of a role;

FIG. 13 depicts the steps performed at the server in enumerating theentries that possess a given role;

FIG. 14 illustrates a Classic Class of Service (CoS) scheme;

FIG. 15 illustrates the concept of scope of a class of service;

FIG. 16 illustrates the relationship between the class template entriesfor a given CoS scheme;

FIG. 17 shows the relationship of an entry's RDN to an entry's DN;

FIG. 18 shows a Classic CoS definition;

FIG. 19 shows an example of two corresponding template entries usingClassic Cos;

FIG. 20 illustrates a Pointer CoS scheme;

FIG. 21 illustrates a Classic CoS scheme;

FIG. 22 illustrates a Pointer CoS definition;

FIG. 23 illustrates an indirect CoS scheme; and

FIG. 24 shows an indirect CoS definition.

DETAILED DESCRIPTION A. Computer Architecture

The presently disclosed system and method can be implemented usinghardware, software or a combination of hardware and software.Specifically, the disclosed system and method can be implemented usingeither object-oriented programming languages, like the Java and C++programming languages, or procedural programming languages such as the Cprogramming language. The disclosed system and method can be implementedusing a computer system with a single personal computer or a network ofmultiple computers.

Reference will now be made in detail to exemplary embodiments of thedisclosed system which are also illustrated in the accompanyingdrawings. Although the description includes exemplary embodiments, itcan be easily seen that other embodiments are possible, and changes canbe made to the embodiments described without departing from the spiritof the disclosed system and method.

FIG. 5 is a block diagram that illustrates a computer system 100 uponwhich an embodiment of the disclosed system and method can beimplemented. Computer system 100 includes a central processor unit (CPU)104 such as the SPARC® microprocessor, which is coupled via bus 102 toother devices such as memory device 106 such as a semiconductor memoryor other Random Access Memory (RAM) device, storage device 110 such as adisk drive, input device 114 such as a keyboard, mouse, joystick,touch-sensitive pad, microphone or camera, and output device 112 such asCRT, flat-panel display, speaker, Light Emitting Diodes, or the like.Computer system 100 also includes a communication interface 118 coupledto bus 102. Communication interface 118 provides a two-way datacommunication coupling to a network link 120 that is connected to localnetwork 122. Configured on the storage device 110 is a one or moredatabases such as the LDBM, the Oracle Relational Database ManagementSystem, or a flat file. It should be noted that the one or moredatabases could be configured on a different processor or set ofprocessors than the CPU 104, and could be coupled to the computer system100 via a network connection.

Consistent with one implementation of the disclosed system and method,information from the multiple remote resources is provided by computersystem 100 in response to CPU 104 executing one or more sequences of oneor more instructions contained in main memory 106. Such instructions canbe read into main memory 106 from another computer-readable medium, suchas the storage device 110. Execution of the sequences of instructionscontained in main memory 106 causes CPU 104 to perform the process stepsdescribed herein. In an alternative implementation, hard-wired circuitrycan be used in place of or in combination with software instructions toimplement the disclosed system and method. Thus implementations of thedisclosed system and method are not limited to any specific combinationof hardware circuitry and software.

As used in this application, the word selection or input includesinputting any information by way of pressing a key, mouse button,touching a touch-sensitive area, spoken word(s), infra-red or otheroptical method, or via a wireless method.

The term “computer-readable medium” as used herein refers to any mediumthat participates in providing instructions to CPU 104 for execution.Such a medium can take many forms, including but not limited to,non-volatile medium, volatile medium, and transmission medium.Non-volatile medium includes, for example, optical or magnetic disk,such as storage device 110. Volatile medium includes dynamic memory,such as main memory 106. Transmission medium includes coaxial cable,copper wire and fiber optics, including the wires that include bus 102.Transmission medium can also take the form of an acoustic or a lightwave, such as that generated during radiowave and infrared datacommunication. Common forms of computer-readable media include, forexample, a floppy disk, a flexible disk, hard disk, magnetic tape, orany other magnetic medium, a CD-ROM, any other optical medium, punchcards, papertape, any other physical medium with patterns of holes, aRAM, PROM, EPROM, a FLASH-EPROM, any other memory chip or cartridge, acarrier wave as described hereinafter, or any other medium from which acomputer can read.

Various forms of computer readable media can be involved in carrying oneor more sequences of one or more instructions to CPU 104 for execution.For example, the instructions can initially be carried on magnetic diskof a remote computer. The remote computer can load the instructions intoits dynamic memory and send the instructions over a telephone line usinga modem. A modem local to computer system 100 can receive the data onthe telephone line and use an infra-red transmitter to convert the datato an infra-red signal. An infra-red detector coupled to bus 102 canreceive the data carried in the infra-red signal and place the data onbus 102. Bus 102 carries the data to main memory 106, from which CPU 104retrieves and executes the instructions. The instructions received bymain memory 106 can optionally be stored on storage device 110 eitherbefore or after execution by CPU 104.

Communication interface 118 can be an integrated services digitalnetwork (ISDN) card or a modem to provide a data communicationconnection to a corresponding type of telephone line. As anotherexample, communication interface 118 can be a local area network (LAN)card provide a data communication connection to a compatible LAN.Wireless links can also be implemented. In any such implementation,communication interface 118 sends and receives electrical,electromagnetic or optical signals that carry digital data streamsrepresenting various types of information.

Network link 120 typically provides data communication through one ormore networks to other data devices. For example, network link 120 canprovide a connection through local network 122 to a host computer 124and/or to data equipment operated by an Internet Service Provider (ISP)126. ISP 126 in turn provides data communication services through theInternet 128. Local network 122 and Internet 128 both use electric,electromagnetic, or optical signals that carry digital data streams. Thesignals through the various networks and the signals on network link 120and through communication interface 118, which carry the digital data toand from computer system 100, are exemplary forms of carrier wavestransporting the information.

Computer system 100 can send messages and receive data, includingprogram code, through the network(s), network link 120 and communicationinterface 118. In the Internet example, a server 130 might transmit arequested code for an application program through Internet 128, ISP 126,local network 122 and communication interface 118. In accordance withthe presently disclosed system and method, one such downloadedapplication links a user to a directory record by associating a uniquereference identifier with both the user and the record, as describedherein. The received code can be executed by CPU 104 as it is received,and/or stored in storage device 110, or other non-volatile storage forlater execution. In this manner, computer system 100 can obtainapplication code in the form of a carrier wave.

Although computer system 100 is shown in FIG. 1 as being connectable toone server, 130, those skilled in the art will recognize that computersystem 100 can establish connections to multiple servers on Internet128. Furthermore, the computer system 100 is one that can be configuredto perform the function of (an X.500 or an LDAP) directory server aswill be explained in the following.

B. Overview of Static and Dynamic Groups

Groups are typically defined based on certain common characteristics ofthe members of the groups. A member can be included in a group if themember has an attribute of a specific type. Groups can be static ordynamic. A “static” group is one which where membership is specified bypresence in a list. An analogy would be a piece of paper with a list ofnames. Anyone named on the paper is in the group. Membership may changeat any time, just as one might cross a name off the paper list or writein a new name. So they are not terribly static.

A dynamic group is one where membership is inherent in some property ofthe entries. For example a group containing a number of persons in abuilding might be “everyone on the third floor”, and this would bedefined by a filter (query) against the directory for “floor=3”. Aspeople are moved around the building, they may become part of the floor3group, or leave it, depending on their location. A key feature ofdynamic groups is that they require no explicit maintenance—a staticgroup which is intended to contain everyone on the third floor wouldneed to be maintained, either manually or by a script and so would beeither prone to error or not always up to date. There are alsoimplementation efficiency issues relating to static versus dynamicgroups. Thus, in a dynamic group, instead of looking at a groupattribute to verify if a user possesses the group attribute, membershipis determined by checking a user attribute, which can be specifiedarbitrarily.

C. Overview of Roles

A role is a comprehensive entry grouping mechanism, similar to the groupconcept. Role unifies the concepts of static and dynamic groupings, buttransfers some of the complexity to the server side from the clientside. While dynamic groups contemplate a hierarchical tree-likestructure of an organization, roles assume that logically anorganization structure could be substantially flat or hierarchical.

The directory system expresses the fact that an entry possess a role byplacing the Distinguishing Name (DN) of the role in a computed andoperational attribute, for example, the nsRole attribute. A computedattribute is one that is computed on the fly; it is a result of acomputation. A computed attribute does not need to exist in a physicalform; it can be stored temporarily in memory. An LDAP operationalattribute is one that is available only if requested. The attributensRole is both computed and operational.

Each entry assigned to a role contains an attribute called nsRole, whichis a computed attribute that specifies all of the roles to which anentry belongs. Roles enable applications to locate the roles of anentry, rather than select a group and browse the members list.Additionally, roles allow for support of generated attribute values, anddirectory server-performed membership verification for clients. Bychanging a role definition, a user can change an entire organizationwith ease. Moreover, roles can use the LDAP Virtual List View (VLV)control mechanism to enumerate the membership in a role.

A role is defined by a role definition entry. A role is uniquelyidentified by the distinguished name (DN) of its defining entry. Roledefinition entries are implemented as LDAP subentries. Thus, a roledefinition entry inherits subentry mechanism for scope of application toa DIT subtree. An aspect of a role is that each role is defined by anentry stored in the DIT. Any client or program executing on the a clientwith appropriate access privileges can discover, identify and examineany role definition. Any client or client program with an appropriateaccess privilege can add a new role definition, or modify existing roledefinitions. Further, role definitions can be replicated in adistributed environment.

Each role has entries called “members.” Members of a role are said to“possess” the role. Two varieties of roles are possible: simple roles,and complex roles. This classification, in one aspect, allows forimplementation efficiency and supports some management functions. Aclient application can perform the following operations on roles.

-   -   (1) Enumerate the members of the role.    -   (2) Obtain an enumerated list of role members, which can be        useful for resolving queries for group members quickly.    -   (3) Determine whether a given entry possesses a particular role.    -   (4) Determine the roles possessed by an entry, which can help a        client-side application to determine whether the entry possesses        the target role.    -   (5) Enumerate all the roles possessed by a given entry.    -   (6) Assign a particular role to a given entry.    -   (7) Remove a particular role from a given entry.

A client application can check role membership by searching the nsRoleattribute, which is computed by the directory server and therefore isup-to-date. From the point of view of a client application, the methodfor checking membership is uniform and is performed on the server side.

Roles and Dynamic Groups

One of the differences between roles and dynamic groups is that dynamicgroups impose a requirement on a directory client program to retrieveand correctly process the group definition. This makes client softwaremore complex, reduces performance and brings the potential for errors onthe client, either accidental or deliberate. Roles introduce an abstractmembership test mechanism which allows responsibility for membership torest with the directory server. The client only has to know the name ofa role which is of interest to it, and how to test role membership ingeneral.

Role Operations

Given Arbitrary Roles and Entries, the Following Operations are Usefulto Clients

1. Enumerate the members of a role (i.e., provide an answer to thequestion, “which entries have this role?”) It is also useful to be ableto resolve this query in a reasonable time (significantly less than thetime to find the members by brute force examination of all the entries).It is also useful to be able to retrieve the entries in a paged orbrowsing fashion, using the existing LDAP VLV mechanism.

2. Determine whether a given entry possesses a particular role. It isuseful to be able to do this more efficiently than by determining allthe roles possessed by the entry and then checking whether the targetrole is among that set of roles.

3. Enumerate all the roles possessed by a given entry.

4. Assign a particular role to a given entry.

5. Revoke a particular role from a given entry.

It should be noted that when operations are performed on roles, the CPU104 can be programmed to search for roles possessed by entries usingboolean operators. More specifically, the following boolean operatorscan be used in determining whether an entry possesses a given role.

Operator Symbol Operation Equal = An instance of a search attributeexactly matches a role possessed by an entry. Contains * A wild cardoperator to allow presence check or partial matches. Sounds like ~=Operator used in name searches. Greater than >= Used in numericalsearches. or equal Less than <= Used in numerical searches. or equalNegation ! Used to negate an expression. AND & Used to combineexpressions. OR | Used to select from expressions.

Simple and Complex Roles

Imagine that all roles were treated similarly. A role definition couldbe as complex as required or desired. An example of a highly complexrole would be that of a nested role whose component roles includedfilters using custom matching rules and attribute syntax.

1. Membership enumeration: to enumerate the members, a client would needto separately enumerate the component roles, by submitting searchoperations to the server. The results would need to be aggregated by theclient, eliminating any duplicates. This can be more complex and onerousfor users that need only simple role operations.

2. Determine whether a given entry possesses this role: this isdifficult for a client to do. A brute force method would inefficient.Some associative indexing scheme could potentially help but can be hardto implement in an efficient manner.

3. Enumerate all the roles possessed by a given entry—this is morecomputationally complex than determining whether an entry possesses aparticular role.

4. Assign a particular role to a given entry—this also computationallycomplex, because it requires semantic knowledge of role definition.

5. Revoke a particular role from a given entry—similar to (5) above,this is complex because it requires semantic knowledge of roledefinition.

For a complex role such as the example used above, it is hard or veryhard to implement any of the five desirable role operations. Thereforeit would be convenient to define a role type with deliberately limitedflexibility, which role is called a “simple” role. The simple roleallows all five of the desirable role operations to be implementedrelatively easily and efficiently. Any role that is not a simple role isby definition a complex role. In the role definition schema, there aretwo “abstract” object classes to distinguish between simple and complexroles: nsSimpleRole and nsComplexRole. The relationship between ObjectClasses and Attribute Types/Syntax to Entries are shown in FIG. 6.

Simple Roles

A simple role has the following properties:

1. Enumerating role membership is easily and efficientlyimplemented—This enumeration can be done using VLV controls, allowingfor better scaling and user experience.

2. Computationally less complex and efficient to test an entry forpossession of a particular role.

3. Computationally less complex and efficient to enumerate the simpleroles a particular entry possesses.

4. It is obvious by inspection of the role definition how to assign asimple role to a given entry.

5. It is obvious by inspection of the role definition how to revoke asimple role from a given entry.

Complex Roles

Roles which are not simple are deemed complex, with the implication thatone or more (perhaps all) of the five operations are computationallymore complex than for the simple roles. Clients and management agentscan determine whether a given role is of the simple or complex kind,allowing a user interface (UI) to act appropriately. The applicationdeveloper can choose not to support or support in a limited orinefficient manner some server features which use roles, when the targetrole is complex. Internal to the server, it is also possible to delivernotification to subsystems when entries move in and out of simple groupmembership. This can be used to keep metadata cached for performancereasons coherent with the DIT contents.

Implementing Simple and Complex Roles

Role is a more flexible entry grouping method than dynamic groups inpart because a role allows a client to obtain the results normallyobtained using static or dynamic groups without increased clientcomplexity. A role can be configured in a number of ways to providedifferent results. Four types or roles are disclosed herein. They are,(1) Managed Role; (2) Filtered Role; (3) Nested Role; and (4) EnumeratedRole.

Managed Role

An example of a simple role is a managed role with object classnsManagedRole. Managed roles are added to an entry by adding thensRoleDN attribute to the entry. Membership of a managed role isconferred upon an entry by adding the role's DN to the entry's nsRoleDNattribute.

A “managed” role is one that can be configured to provide search resultssimilar to those available with a static grouping mechanism, i.e., tocreate a group entry that contains a list of members. Managed rolesallow a user to create an explicit enumerated list of members. FIG. 7shows an example of a managed role definition. FIG. 8 depicts an exampleentry with a managed role.

An example of an entry with this role is as follows.

Defining a Managed Role

As an example, suppose one wants to create a role to be assigned to allmarketing staff. Membership of a managed role is conferred upon an entryby adding the role's DN to the entry's nsRoleDN attribute. The user canexecute a script “ldapmodify” as follows:

-   -   ldapmodify -D “cn=Directory Manager” -w secret -h host -p 389

Then the user can specify a managed role as follows:

-   -   dn: cn=Marketing,ou=people,dc=siroe,dc=com    -   changetype: add    -   objectclass: top    -   objectclass: LDAPsubentry    -   objectclass: nsRoleDefinition    -   objectclass: nsSimpleRoleDefinition    -   objectclass: nsManagedRoleDefinition    -   cn: Marketing    -   description: managed role for marketing staff

The user can then assign the role to a marketing staff member named Bobby executing ldapmodify as follows:

-   -   ldapmodify -D “cn=Directory Manager” -w secret -h host -p 389    -   dn: cn=Bob,ou=people,dc=siroe,dc=com    -   changetype: modify    -   add: nsRoleDN    -   nsRoleDN: cn=Marketing,ou=people,dc=siroe,dc=com    -   . . .    -   add: description    -   description: Has the marketing managed role    -   . . .

Complex Roles

Three kinds of complex roles are disclosed herein, viz, filtered, nestedand enumerated roles, with corresponding object classes nsFilteredRole,nsNestedRole and nsEnumeratedRole. Other complex role types are alsopossible.

Filtered Role

A “filtered” role can be configured to provide results similar to thoseproduced by a dynamic grouping mechanism. This can be achieved byconfiguring the entries in such a way as to match a “filter”. Dynamicgroups allow a user to filter entries that contain a particularattribute and include them in a single group. After creating a role in asimilar manner to that of a managed role, a user assigns entries to afiltered role based on a particular attribute contained by each entry.This is done by specifying an LDAP filter. Entries that match the filterare said to possess the role.

A filtered role specifies an LDAP filter of arbitrary complexity.Entries matching the filter and within the sub tree specification aresaid to possess the role. FIG. 9 shows an example of a filtered roledefinition.

Defining a Filtered Role

As an example, consider a filtered role for sales managers. The user canexecute a script “ldapmodify” as follows:

-   -   ldapmodify -D “cn=Directory Manager” -w secret -h host -p 389

The user can then specify the filtered role as follows:

-   -   dn: cn=SalesManagerFilter, ou=people,dc=siroe,dc=com    -   changetype: add    -   objectclass: top    -   objectclass: LDAPsubentry    -   objectclass: nsRoleDefinition    -   objectclass: nsComplexRoleDefinition    -   objectclass: nsFilteredRoleDefinition    -   cn: SalesManagerFilter    -   nsRoleFilter: o=sales managers    -   Description: filtered role for sales managers

The following entry would match the filter and therefore be a member ofthis filtered role:

-   -   dn: cn=Pat, ou=people,dc=siroe,dc=com    -   objectclass: person    -   cn: Pat    -   sn: Pat    -   userPassword: bigsecret    -   o: sales managers        -   Description: has a filtered role

Nesting in Groups

Suppose a static group points to a list of entries. If one of theseentries in the list happens to be a group, the client side code shouldidentify and interpret that as a group and expand the group to obtainthe entries that fall into that group. If there is no client-side codeto identify and interpret a group in a list of entries, then the entryrepresenting a group will be treated as an entry representing anindividual member. This is the way nesting is performed in LDAP groups.Thus, in the case of static groups, the client has to interpret thenesting, and when it comes across a group, it has to expand the group.

Nested Role

Nesting with roles can be easily achieved. A nested role is a containerof other roles. To nest, the DNs corresponding to the roles are added orencapsulated to form the nested role. A “nested” role can be configuredto provide an additional level of abstraction by nesting different roletypes—filtered, managed, enumerated or nested—whereby an entry can be amember of any one of the roles in the nesting. Nested roles allow a userto create roles that contain other roles. A nested role can be createdwith no members nested. Alternatively, a nested role may contain one ormore members. It should be noted that the nesting or encapsulation isperformed if (1) the target entry is within the scope of the role;and/or (2) target entry is within the scope of the role that causes thetarget entry to possess the nested role.

For example, if a target entry possesses manager role, then it alsopossesses the megamanager role. Likewise, if a target entry possessesnetwork manager role, then it also possesses the megamanager role. Thesetwo roles, sales manager role and network manager role are nested withinthe megamanager role. There can be an arbitrary number of nested withinthe megamanager role. In this example, an object class nsNestedRoledefines the megamanager role to be a nested role. Included in thisnesting are the two roles—sales manager and network manager—possessed bythe megamanager role. It should be noted that an entry cannot beassigned a nested role. An entry may possess a nested role by alsopossessing a role which is nested within the nested role.

Assume an E-mail application. Suppose one wishes to send a message toboth sales managers and network managers. Assume further that the senderis aware of the E-mail address of the megamanager role. With nestedrole, the E-mail can be directed toward the megamanager role, and allroles that are nested within the mega manager role—in this example, allsales managers and all network managers—will receive a copy of theE-mail. To do this the application has only to test to ensure that thecandidate entry to whom it sends the E-mail possesses the megamanagerrole, and not the particular role, whether sales manager or networkmanager. In the case of static groups, the client application has tointerpret a group to decide whether an entry is a member of the group.In the case of roles, there is no need to do this. It is sufficient totest for the role value in the nsRole attribute.

The roles nested within the nested role are specified using the nsRoleDNattribute. FIG. 10 shows an example of a nested role definition.

Defining a Nested Role

Suppose a user wishes to create a role that contains both the marketingstaff and sales managers contained by the roles created in the previousexamples. A nested role created using the script “ldapmodify” may appearas follows:

-   -   dn: cn=MarketingSales,ou=people,dc=siroe,dc=com    -   changetype: add    -   objectclass: top    -   objectclass: LDAPsubentry    -   objectclass: nsRoleDefinition    -   objectclass: nsComplexRoleDefinition    -   objectclass: nsNestedRoleDefinition    -   cn: MarketingSales    -   nsRoleDN: cn=SalesManagerFilter,ou=people,dc=siroe,dc=com    -   nsRoleDN: cn=Marketing,ou=people,dc=siroe,dc=com

Both the users in the previous examples, Bob and Pat, would be membersof this new nested role.

Defining an Enumerated Role

An enumerated role, as the name indicates, is an enumeration or a listof members. These members are members that possess this role. Themembers need not have anything else in common. Only individual members,and not roles such as the aforementioned sales manager roles are allowedin an enumerated role.

An enumerated role is the static group reborn, but with two importantdifferences. No nesting is allowed within an enumerated role, whichpermits a valuable optimization not possible with static groups. Thebehavior of an enumerated role that includes a nesting can be undefinedor implementation-dependent.

Another difference between static groups and enumerated roles is thatenumerated roles have a scope and LDAP groups do not have scope. Scopeof a role includes, as defined elsewhere in this application, allentries in the directory tree that are at or below the level at whichthe role is defined. It is illegal to add a member to an enumeratedgroup where that entry lies outside the subtree specification. Thedirectory server software interprets an enumerated list and performs arequired operation on the list members. An example of an enumerated roledefinition is shown in FIG. 11.

Taking the E-mail application example from before, if an E-mail is sentto an address that is mapped to the DN of peonrole, which is anenumerated role, then the client tests for the existence of the rolepeonrole and routes the E-mail to all entries that possess peonrole.

Table 1 lists object classes and attributes associated with each roletype. Table 2 delineates how the roles are implemented.

TABLE 1 Object Classes and Attributes for Different Role Types Role TypeObject Class Attributes Managed Role nsManagedRoleDefinition description(optional) Filtered Role nsFilteredRoleDefinition nsRoleFilterdescription (optional) Nested Role nsNestedRoleDefinition nsRoleDNdescription (optional) Enumerated Role nsEnumeratedRoleDefinitiongroupmember description (optional)

TABLE 2 Role Implementation Managed Role Filtered Role Nested RoleEnumerated Role Membership LDAP search with LDAP subtree search Nogeneric method. No generic method. Enumeration filter nsRoleDN = withbaseDN from <role's dn> (indexed the subtree and supports VLV)specification and filter from the nsRoleFilter attribute. (VLV indexingoptional) Membership test LDAP compare LDAP compare against LDAP compareagainst LDAP compare against against nsRoleDN nsRole attribute. nsRoleattribute. nsRole attribute or attribute. LDAP compare entry's DNagainst Role's groupmember attribute. Role Enumeration Read nsRoleDNRead nsRole attribute. Read nsRole attribute. Read nsRole attribute.attribute. Assign Role LDAP modify, add Marginally meaningful.Marginally meaningful. Add entry's DN to the role's DN to role entry'smembership nsRoleDN attribute. list. Revoke Role LDAP modify, removeMarginally meaningful. Marginally meaningful. Remove entry's DN fromrole's DN from the role entry's nsRoleDN attribute. membership list.

It should be noted that roles inherit from the ldapsubentry object classwhich is defined by the IETF based in part on the subentry conceptdefined in the ISO standard, ISO/IEC X.509. Further, it should be notedthat once roles are created, graphical user interfaces can be designedto view, edit, modify, inactivate, reactivate, or delete role or roleentries.

Roles and Access Control

Access control rules can be defined such that the roles possessed by anentry determine its access rights. A directory server stores informationto control access to roles in an attribute named Access ControlInformation (ACI). ACI stores the directory server access controlinformation for a particular entry. ACIs take the general form

-   -   aci: (<target>)(version 3.0;acl“<name>”;<permission><bind        rule>;)

where,

<target> defines the object, attribute, or filter used to define whatresource to controlling access to. The target can be a DN, one or moreattributes, and/or a single LDAP filter. Target identifies whatdirectory entry the ACI applies to. The target can be, (a) a directoryentry (usually a branch of an organization's directory tree); (b) adirectory entry and one or more entry attributes; or (c) a group ofentries and/or attributes that are the result of a single LDAP filter.

version 3.0 is a required string that identifies the ACL version.

acl “<name>” is a name for the ACI. <name> can be any string thatidentifies the ACI. The ACI name is required.

<permission> defines the actual access rights and whether they are to beallowed or denied. Permissions specify the type of access allowed ordenied. An organization can either allow or deny an entity fromperforming specific operations to the directory. The various operationsthat can be assigned are known as rights. In one implementation, bydefault all users are denied access rights of any kind. The exception tothis is the user defined in the Root DN parameter of an LDAP directory.This user is known as the root or unrestricted user. The unrestricteduser has full access to a directory regardless of the permissions setfor the directory. For this reason, user must set some permissions for adirectory if a user wants any normal users to be able to access thedirectory. There are two parts to setting permissions: (a) Allowing ordenying access; and (b) Assigning rights.

<bind rule> identifies the circumstances under which the directory login must occur in order for the ACI to take effect. Binding refers tologging in or authenticating to the directory. The circumstances underwhich binding occurs determine whether access to the directory isallowed or denied. Every permission set in an ACI has a correspondingbind rule that details the specific circumstance under which bindingmust occur for the ACI to be applied. Bind rules can be simple, forexample, a bind rule can simply state that the person accessing thedirectory must belong to a specific group. Bind rules can also be morecomplex, for example, a bind rule can state that a person must belong toa specific group and must log in from a machine with a specific InternetProtocol (IP) address, during between 8 AM and 5 PM. Whether access isallowed or denied depends on whether an ACI's bind rule is evaluated tobe true. Bind rules use one of the two following patterns: (a)<keyword>=“<expression>”; and (b) <keyword>!=“<expression>”, where equal(=) indicates that <keyword> and <expression> must match in order forthe bind rule to be true, and not equal (!=) indicates that <keyword>and <expression> must not match in order for the bind rule to be true.Bind rules tell who can access the directory, when, and from where. Morespecifically, bind rules specify the users and groups that can accessthe directory, the location from which an entity must bind, the time orday on which binding must occur, or the type of authentication that mustbe in use during binding. Additionally, bind rules can be complexconstructions that combine bind methods using Boolean operators. More onACI syntax is located athttp://docs.iplanet.com/docs/manuals/directory/adminin30/adminix.htm,visited Feb. 8, 2001, which description is incorporated herein byreference in its entirety.

To implement access control for roles, the ACI syntax of a directoryserver could be extended to support a “role” property. In some cases auser may wish to protect the value of the nsRoleDN attribute with an ACLas the attribute is writable. Not every role is suitable for use in asecurity context. When creating a new role, consider how easily the rolecan be assigned to and removed from an entry. Sometimes it isappropriate for users to be able to easily add themselves to or removethemselves from a role. For example, if a user is part of an interestgroup role called Mountain Biking, the user may want interested users toadd themselves or remove themselves easily. But in some securitycontexts such as account inactivation, it is inappropriate to have openroles. By default, in some implementations, account inactivation rolescontain ACIs defined for their suffix. When creating a role, the serveradministrator can decide whether a user can assign themselves to orremove themselves from the role.

For example, user A possesses the managed role (MR). The MR role hasbeen locked using account inactivation through the command line. Thismeans that user A cannot bind to the server because the nsAccountLockattribute is computed as “true” for that user. However, suppose the userwas already bound and noticed that he is now locked through the MR role.If there are no ACLs preventing him, the user can remove the nsRoleDNattribute from his entry and unlock himself.

To prevent users from removing the nsRoleDN attribute, the followingACIs may be appropriate depending upon the type of role being used.

Access Control with Managed Roles

Because management of managed roles requires access rights to modify thetarget entries, it becomes important to control access appropriately tothe nsRoleDN attribute. Access control rules can be defined whichrestrict modification access rights to just the nsRoleDN attribute.Furthermore, access control rules can be defined such that a particularclient is restricted to adding or removing a specific set of values.This means that a particular client will be able to, say, assign andremove access to the accounting application (which is done by means of amanaged role), but the same client can not promote users to the systemadministrator managed role.

For entries that are members of a managed role, use the following ACI toprevent users from unlocking themselves by removing the appropriatensRoleDN:

-   -   aci: (targetattr=“nsRoleDN”)    -   (targetattrfilters=“    -   add=nsRoleDN:(!(nsRoleDN=cn=AdministratorRole,dc=siroe,dc=com)),        del=nsRoleDN:(!(nsRoleDN=cn=nsManagedDisabledRole, dc=siroe,        dc=com))”)    -   (version3.0; aci “allow mod of nsRoleDN by self but not to        critical values”;        -   allow(write)        -   userdn=“ldap:///self”;)

Access Control with Filtered Roles

The attributes that are part of the filter should be protected so thatthe user cannot relinquish the filtered role by modifying an attribute.The user should not be allowed to add, delete and modify the attributeused by the filtered role. If the value of the filter attribute iscomputed, then all attributes that can modify the value of the filterattribute should be protected in the same way.

Access Control with Nested Roles

A nested role includes filtered and/or managed roles, so the abovepoints should be considered for each of the roles that include thenested role.

Roles within Scope of an Entry

Every entry possessing a role has a “scope”. The scope of a role startsat the parent of the role entry and extends to all entrieshierarchically below the parent. The scope of a role at a given roleentry determines which other entries can possess the same role. Forexample, assume that there are two hierarchies of directories A and B(tree-structures) connected at the root level, as shown in FIG. 12.

Thus, the scope of a role defined for an entry at (subtree) level Aincludes all the entries that are at and below subtree A. It should benoted that the scope of the role defined for an entry at (subtree) levelA does not include any entries that are defined at or below the subtreeB. In this way, the scope is a way of limiting the search for entriesthat possess a particular role. For example, suppose two roles, bothcalled Administrator, are defined at two subtrees A and B respectively.This could happen, for instance, in an organization where subtree A isthe directory hierarchy for computer systems that are in a particularnetwork (e.g., one campus of a company or a university), and the subtreeB is the directory hierarchy for computer systems that are in adifferent network (e.g., a different campus). Though there could be twoadministrator roles, one for each campus network, access permissionsgranted to one campus administrator could be different from thosegranted to an administrator of a different campus. The scope of subtreeA limits any access rights granted to an administrator of campus A fromallowing an entry possessing that administrator role to access computersunder subtree B.

Implementing Role Functions

The following algorithms can be used to implement certain role functionsdescribed above. It should be noted that persons of ordinary skill inthe art can choose to implement these algorithms by altering the orderof the steps described herein or by making inconsequentialmodifications.

a. Enumerating Entries that Possess a Role

FIG. 13 depicts the steps performed at the server in enumerating theentries that possess a given role: For each entry within scope, thecomputed attribute nsRole is calculated and then examined to see if therole is present. This results in a list of entries that possess therole. The list is thereafter returned to a client. The client receivesthe results of the search and enumerates all the entries returned.

Deciding Between Roles and Groups

Roles transfer some complexity from the client side to the server side.With roles, clients can check role membership by searching the nsRoleattribute. In the case of roles, the method for checking membership isuniform from the point of view of the client application, and isperformed on the server side.

On the other hand, dynamic groups offer no client application supportfrom the server to provide a list of group members. Instead, theapplication retrieves the group definitions and then runs the filter.For static groups, the application must make sure that the user is apart of a particular UniqueMember value. In this case, the method fordetermining group membership is not uniform for all applications.

Managed roles allow a user to perform all actions performed normally onstatic groups. Filtered roles allow a user to perform all actionsnormally performed on dynamic groups. While they decrease client sidecomplexity, roles increase the server side complexity, becauseevaluating roles is more resource intensive.

D. Overview of Class of Service

In many cases, properties considered to belong to an individual userprofile are in fact determined as a group by the user's “class ofservice” (CoS). Consider for example a voice mail system. Each user issubject to a number of resource limits including the number of messagespermitted in their mailbox; the maximum length of message which can berecorded; whether or not they're allowed to make outgoing calls via theautomated attendant. Rather than storing the individual values for eachof these resource limits on each users'directory entry, several classesof service are defined, each with resource limits appropriate to adifferent type of user. The “superuser” class might have very highresource limits while the “ordinary user” class would have lower limits.Now each user's directory entry need only contain the service class towhich they belong. This is both smaller than the complete set ofresource limit attributes, and also much easier to manage because thenumber of service classes is much smaller than the number of users.

As an example, suppose a directory contains thousands of entries all ofwhich share a common attribute for fax number, facsimileTelephoneNumber.Traditionally, in order to change the fax number, a client applicationwould have to update each entry individually. This is a largeadministrative task, and sometimes there could be a risk of not updatingall entries.

CoS enables the user to generate the attribute facsimileTelephoneNumberdynamically. The attribute facsimileTelephoneNumber is stored in onelocation in memory or in storage, and each entry points to that locationto give a value to the entry's fax number attribute. To a clientapplication, the CoS attributes appear just like all other attributes ofan entry, despite that CoS attributes are not stored with the entriesthemselves.

As shown in FIG. 14, each CoS includes the following entries in adirectory. (1) CoS Definition Entry, which identifies the type of CoSused. CoS is stored as an LDAP subentry below the branch at which it iseffective. (2) Template Entry. The template entry contains a list of theshared attribute values. Changes to the template entry attribute valuesare automatically applied to all the entries sharing the attribute.

Scope of Class of Service

A CoS for a target entry also has a “scope.” The scope of a CoS startsat the parent of the CoS definition entry and extends to all entrieshierarchically below the parent. The scope of a CoS at a given CoSdefinition entry determines which other entries can possess the sameCoS. For example, assume that there are two hierarchies of directories Cand D (tree-structures) connected at the root level, as shown in FIG.15.

Thus, the scope of a CoS defined for an entry at (subtree) level Cincludes all the entries that are at and below subtree C. It should benoted that the scope of the CoS defined for an entry at (subtree) levelC does not include any entries that are defined at or below the subtreeD. In this way, the CoS scope is a way of limiting the search forentries that possess a particular CoS attribute. For example, supposetwo CoS entries, both called facsimileTelephoneNumber, are defined attwo subtrees C and D respectively. This could happen, for instance, inan organization where subtree C is the directory hierarchy for aparticular department (e.g., sales), and the subtree D is the directoryhierarchy for a different department (e.g., marketing). Though therecould be a different fasimileTelephoneNumber for each department,suppose that faxes to the sales department should not arrive at the faxnumber for the marketing department, and vice versa. The scope of theCoS attribute facsimileTelephoneNumber at subtree C automaticallyincludes all entries at or below the level A, and all employee entriesdefined at level C will be listed as having the facsimileTelephoneNumberdefined at subtree C.

A CoS includes a CoS Definition entry and a Template entry. These twoentries interact to provide attribute values to target entries withintheir CoS “scope” based on the DN of the CoS Definition entry, theattribute value stored in the target entry's CoS Template, and otherfactors. An entry may be within the scope of a CoS Definition entry butmay not be qualified to receive a value from the scheme made up of CoSDefinition and templates. A CoS specifier is an attribute which containsa value. The value of the CoS specifier is the attribute type which mustbe present in the entry and the value of that attribute determines theclass of the target entry. The absence of that attribute may determineif the target entry qualifies for a default value under the scheme.Thus, the presence or absence of the target entry's CoS specifierdetermines whether the target entry qualifies for a value.

Implementing CoS Feature in a Directory Server

Typically the CoS feature is implemented by an application and not bythe storage system which contains the user profile data (e.g. a databaseor directory server). This however is more by necessity than design,since these storage systems usually don't offer any CoS capability. Thissection describes a CoS facility for a Directory Server, which issuitably implemented in a plugin. It should be noted that the samegeneral principles can be extended to other storage systems such as aDatabase, a flat file and the like.

CoS allows a user of a directory server to share attributes betweenentries in a way that is transparent to a client application. With CoS,some attribute values may not be stored with the entry itself. Instead,the attribute values are generated by a CoS logic as the entry istransmitted to a client application. Clients of the Directory Serverread user's entries in the normal way. The clients see attributes onthese entries as usual. Some attribute values may not have been storedwith the entry however, they have been generated by CoS logic as theentry is sent to the client.

The CoS Definition Entry and the Template Entry interact to providevalues to their target entries, which are entries within the scope ofCoS Definition entry. The value the CoS Definition Entry and theTemplate Entry provide to target entries depends on several factors:

-   -   (a) The entry's DN. (different CoS regimes can be maintained for        different portions of the DIT).    -   (b) A service class attribute value stored with the entry (for        example: “nsmail-cos:ordinary” in a Messaging Server). The        absence of the attribute altogether can also imply a specific        default CoS.    -   (c) The attribute values stored in a class template entry. One        such entry is selected to supply the attribute values for one        particular service class.    -   (d) The object class of the entry. CoS attribute values will        only be generated where the entry has an object class which        allows the attribute. If schema checking is turned off, this        rule is not enforced.    -   (e) The attribute values stored in some particular entry in the        DIT, for example a container entry.    -   (f) The attribute values stored in an entry pointed to by a DN        stored in an attribute of the entry.

It should be noted that multiple CoS schemes can be defined within aserver. In some embodiments, to define schemes such that they conflictwith each other might be regarded as an illegal definition.

As shown in FIG. 16, the class template entries for a given CoS schemeare all stored in the DIT, as children of a common parent entry. Eachdirectory entry includes a relative DN (RDN). The relationship of anentry's RDN to the entry's DN is pictorially shown in FIG. 17. Therelative DNs of the template entries are the respective values of aservice class attribute called cosSpecifier and a default RDN called“cosSpecifier-default”. The cosSpecifier is an attribute in the CoSDefinition entry, whose value is an attribute type that should appear ina target entry, the value of which target entry in turn determines whattemplate entry is to be applied. The default RDN value will be used whenthe service class attribute value is NULL or not present. For example, acosDefinition with a cosSpecifier value of “test”, would have a defaulttemplate of “test-default”.

First a CoS scheme, which includes a CoS definition, is created.Creating a CoS definition entry results in the creation of a CoSspecifier and a list of attributes which could be provided by the CoSdefinition entry. A CoS scheme also includes a CoS Template entry. Inorder for the CoS mechanism to work, a CoS scheme must be associatedwith at least one template entry. If a CoS scheme is not associated withat least one template entry, the scheme is ineffective. A CoS templateentry represents a set of attribute-value pairs that could be applied toa target entry. At a later time, any number of template entries—alsosometimes referred to as a service class—may be created under a givenCoS scheme. These CoS template entries are stored as children of acommon parent entry, which could be the CoS scheme entry with which thetemplate entry is associated, or a parent of the CoS scheme entry. Alsocreated with the CoS Definition entry is a list of attribute types thatare to appear in target entries; and a value of the CoS specifier, whichrepresents an attribute type that should appear in target entries, andwhich is used to decide among different possible templates.

From the client perspective, a service class is a property of an entry.The way to decide what class an entry has is by examining the CoSspecifier property of the entry and the value of the CoS specifierproperty in a target entry determines the template entry to be used.

Types of Classes of Service

Classes of service definitions (that is, all the information, save thetemplate entries, needed in order to generate attribute values definedby a CoS) are stored in LDAP Subentries, which can be located anywherein the DIT. A directory server user may use different types of CoSdepending on how the user wishes to generate the values of dynamicattributes. There are three types of CoS: (a) Classic CoS; (b) PointerCoS; and (c) Indirect CoS. Corresponding to these different types ofCoS, CoS definition entries have objectclass cosClassicDefinition,cosPointerDefinition or cosIndirectDefinition:

Classic Class of Service

A classic CoS identifies the template entry by both its DN and the valueof one of the target entry's attributes. Classic CoS can have multipletemplate entries, including a default CoS template to be applied tothose entries which do not belong to any other CoS template.

Classic CoS and Roles can be used together to provide role-basedattributes. These attributes appear on an entry because it possesses aparticular role with an associated CoS template. For example, one coulduse a role-based attribute to set the server look through limit on anyrole-by-role basis.

In Classic CoS, template entries are selected based on the value of aspecifier attribute in the entry. This is depicted in FIG. 18. In thisexample, a CoS specified by the attribute “mailServiceClass” is defined.This service class set defines the values of attributes “mailboxquota”and “maySendExternalMail”. The values are to be taken from templateentries stored in the DIT under “cn=LocalConfig, cn=MailServerCOS”. Theservice classes only pertain to entries within the portion of the treeunder “ou=People, o=Netscape.com”. FIG. 19 shows an example of twocorresponding template entries.

Using Classic Cos to Provide an Attribute-Value Pair to a Client

A client program may never even know the existence of a class of servicein a directory system. The client merely looks to obtain a value of anattribute for a given target entry, which could be a target entry. Forexample, suppose a client queries the directory for a fax numbercorresponding to a person John Doe. The client sends a request in a wayit does to any directory system, whether or not the directory systemimplemented fax number as a service class. Thus, the client is not awareof the implementation details of how or where the fax number for JohnDoe is stored or is computed.

Suppose that the organization of which John Doe is a part assigns ashared fax number to John Doe, Jane Roe and other individuals. In atypical directory system, the fax number (i.e., the actual numberrepresenting the fax number such as 650-555-1212) is stored in adirectory or other database in a record associated with John Doe. Butsince the attribute is shared by a number of people, and since therecould be changes to these people, it is better to store the fax numberin one location and assign a fax number attribute to the individualrecords corresponding to these individuals. In such a scheme, thedirectory server first receives a request for an attribute-value pairassociated with a target entry (John Doe), and looks up to determinewhich template entry is relevant to determining a value to the attributerequested. This is done by performing a search of a list ofattribute-value pairs which are associated with template entries. Thesetemplate entries are in turn associated with CoS Definition entries forinstances of attribute-value pairs that match the requested attributetype. A result of this search is a list of matched list ofattribute-value pairs. This list is stored in memory and a number ofconstraints are applied to the list of matched attribute-value pairs.The resulting attribute-value pair is what is returned to the client.

To apply a constraint to the list, the directory server iterates throughthe matched list of attribute-value pairs in order to determine (1) if agiven attribute-value pair is in the same CoS scope as the requestedattribute-value pair, (2) if the CoS specifier of the attribute-valuepair matches the specifier of the corresponding CoS definition, if theCoS specifier of the attribute-value pair matches the corresponding CoSTemplate. Other constraints that could be applied include whether theattribute-value pair has a priority—i.e., whether it closely matches aCoS scheme to the entry hierarchically, sorted in a priority order, saidpriority being determined by the position on the disk, etc.

To accomplish this search, advantageously, the CoS Definition entries,the CoS template entries and the target entries may be read from disk tomemory so that a fast searching algorithm may be applied in memory,thereby avoiding disk hits.

Pointer Class of Service

In the case of Pointer CoS, there is no CoS specifier, i.e., an entrycannot choose between two or more CoS schemes. A pointer CoS identifiesa template entry using only the entry's Template DN. For each pointerCoS, the definition points to a single template entry (template DN). Apointer CoS applies to all entries within the scope of the templateentry.

Referring to FIG. 20, which shows a diagrammatic version of a pointerCoS in a Directory Information Tree (DIT), at a branch node 2000, aPointer CoS is defined by two entries, the Pointer CoS Definition Entry2010 and the Pointer CoS Template Entry 2020. Target entries 2030 thatare within the scope of this pointer CoS are also shown. Any targetentry within scope of the Pointer CoS definition of the branch node 2000get the value provided by that template, if they are qualified to getany value. The difference between Classic CoS and Pointer CoS is that inthe latter, there is no choice of what value a target entry may get forthat CoS scheme. This important difference between Classic CoS andPointer CoS can be appreciated with reference to a DIT depicting ClassicCoS as shown in FIG. 21. An example of a pointer COS is as shown in FIG.22. In this example, every target entry will inherit the organization'sfax number, unless a particular target entry has its own fax numberattribute.

Indirect Class of Service

An indirect CoS identifies the template entry using the value of one ofthe target entry's attributes. In Indirect CoS, template entries are notdefined within the CoS Scheme along with the CoS Definition entry. Afirst target entry may indirectly use a second target entry as atemplate entry and take on the second target entry's attribute-valuepairs. It should be noted, however, that the first target entry's CoSspecifier attribute must contain the DN of an existing and valid secondtarget entry. Thus, in indirect CoS, a DN-valued attribute in the firsttarget entry points to a temporary template entry, which is the secondtarget entry's attribute-value set. The value in the attribute-valuepair, which represents the CoS specifier must be a DN and must point toa valid entry.

Referring to FIG. 23, an indirect CoS scheme contains a CoS DefinitionEntry 2310, which contains a CoS specifier X and a list of attributes.This CoS specifier X is an attribute such as manager that points toanother entry, which could be any entry or another target entry. Thislist of attributes could include, for example, a fax number attributethat is shared by all the persons in a particular group managed by thatmanager. Three target entries A, B and C are showing in FIG. 23. Ofthese entries, C could be a manager of the group. Entry A uses indirectCoS to take on the values for certain attributes, such as fax number,from A's manager, i.e., target entry C. Note that in order for this tobe possible, the value given to the CoS specifier X in A's entry must bea valid DN, in this case, the DN of the manager entry C. FIG. 24 showsan example of an indirect CoS. In this example, each person's entry willinherit “accounting code” from their manager's entry. When an employeemoves to another department, and thereby his manager changes, accountingcodes automatically change to the correct new value when an employee'smanager attribute changes.

Interaction with Stored Attribute Values

If the CoS logic in a directory server detects that the attribute whosevalue it is generating is in fact already stored on the target entry,the default action is to supply the stored value to the client thatrequested the value of the attribute. However, the server's behavior canbe controlled by means of the cosDefinition entry. The cosAttributevalues allow an additional qualifier appended after the attribute typename. Valid qualifier values include “override”, “default” and“operational”. An absent qualifier means the same as “default”. Overridecan mean that the server will always return the value generated by theCoS logic even when there is a value stored with the entry. Default canimply that the server will only return a generated value if there is nocorresponding attribute value stored with the entry. Operational canindicate that the attribute will only be returned if it is explicitlyrequested in the search. In addition, operational attributes suitablyare not required to pass a schema check to be returned. Otherembodiments can have different methods of implementing this feature. Theoperational qualifier can be combined with default or override toproduce the required behavior.

For example,

-   -   dn: cn=messaging_server_cos, cn=cosdefinitions, o=NetscapeRoot    -   objectclass: top    -   objectclass: cosSuperDefinition    -   objectclass: cosClassicDefinition    -   cosTemplateDn: cn=LocalConfig, cn=MailServerCOS    -   cosSpecifier: mailServiceClass    -   cosAttribute: mailboxquota override    -   cosAttribute: hassmellyfeet default operational    -   cosAttribute: maysendextemalmail default

A Note on Templates

Since it is possible to create CoS schemes that compete with each otherto provide an attribute value, it is desirable to be able to determinewhich would prevail in such a case. For maximum flexibility, it wouldalso be desirable to be able to do this at the template level such thateven templates from the same scheme are prioritized. Note that multipletemplate matches in the same scheme is possible because the cosSpecifiercan be mutli-valued, and with role-based attributes, (see Section C.Overview of Roles, supra) this is even quite likely to happen. To thisend, the cosTemplate objectclass has a single allowed attribute:cosPriority.

The cosPriority attribute represents the global priority of a particulartemplate as a numeric decimal value. In this priority scheme zero is thehighest possible priority with the lower priorities extending towardsinfinity. Templates with higher priorities will be favored over and tothe exclusion of templates with lower priorities. Templates which do nothave a cosPriority attribute are considered to have the lowest prioritypossible, or no priority. In the case where two or more templates arebeing considered for supply of an attribute value, and they have thesame (or no) priority, the result is undefined, but does not exclude thepossibility that a value will be returned, however arbitrarily chosen.

Configuration and Management

Because all the configuration information and template data is stored asentries in the directory, standard LDAP tools can be used forconfiguration and management. Specialized scripts, command-line toolsand graphical UI could be developed. These would use the LDAP SDK toinspect and change the configuration. Further discussion of such toolsis outside the scope of this document.

Access Control for Class of Service Attributes

The server controls access to attributes generated by a service class inexactly the same way as regular stored attributes. Access control rulesdepending upon the value of attributes within an entry will behave asexpected even when those attribute values are generated by COS.

Implementation Restrictions

In some cases, an LDAP search request containing a filter thatreferences an attribute defined by CoS cannot be serviced. The serverwill respond with an “unwilling to perform” message when it is presentedwith such an unsupported request.

E. Implementation and Operation

Roles can be implemented in a product such as the iPlanet MessagingServer and the iPlanet Directory Server marketed by the SunMicrosystems, Inc. and Netscape Communications Corporation Alliance,based in Santa Clara, Calif. These products allow a user in anorganization to route mail to groups of users. While this is used as anillustration of the principles disclosed, persons of ordinary skill inthe art readily understand that the principles can be practiced in manyother applications, and therefore the disclosure should not be limitedto only those illustrative uses presented herein.

The Directory Server provides global directory services, i.e., itprovides information to a wide variety of applications. A globaldirectory service solves the n+1 directory problem—whereby informationreplicated in multiple instances of directories could not be managedeasily—by providing a single, centralized repository of directoryinformation that any application can access. A wide variety ofapplications access the directory by way of a communication network.Advantageously, the Directory Server uses LDAP (Lightweight DirectoryAccess Protocol) to give applications access to its global directoryservice.

The Directory Server can store all of a customer organizationalinformation in a single, network-accessible repository. The followingare illustrations of the kind of information an organization might storein a directory:

-   -   (i) Physical device information, such as data about the printers        in the organization (where they reside, whether they are color        or black and white, their manufacturer, date of purchase, and        serial number).    -   (ii) Public information concerning an employee, such as name,        E-mail address, and department.    -   (iii) Private information related to an employee, such as        salary, government identification numbers, home addresses, phone        numbers, and pay grade.    -   (iv) Contract or account information, such as the name of the        client, final delivery date, bidding information, contract        number, and milestone due dates.

The Directory Service could be designed as a general-purpose directory,which serves the needs of a wide variety of applications and provides astandard protocol and application programming interfaces (APIs) toaccess the information it contains.

The Directory Server, in an embodiment, includes the directory itself,the server-side software that implements the LDAP protocol, and agraphical user interface that allows end-users to search and modify thedirectory. Other LDAP clients are also available, including thedirectory managers in a Console and the Address Book feature in NetscapeCommunicator. In addition, a user can purchase other LDAP clientprograms or write own programs using an LDAP client Software DevelopmentKit (SDK) included by a Directory Server manufacturer.

Without adding other LDAP client programs, the Directory Server canprovide the foundation for an organization's intranet or extranet. Aserver can be configured to use a directory as a central repository forshared server information such as employee, customer, supplier, andpartner data.

Directory Server can be used to manage extranet user-authentication,create role-based access control, set up user preferences, andcentralize user management. In hosted environments, partners, customers,and suppliers can manage their own portions of the directory, reducingadministrative costs.

An directory client (or client for short) accesses a directory byinteracting with a Directory server through the LDAP API, which is a setof functions (or classes) that request the server to perform operationsdefined by the LDAP protocol. For example, the server responds to asearch request by searching the directory and returning a list of thematching entries. Netscape Communicator is an example of an LDAP client;Communicator's address book feature enables a user to look up a person'se-mail address in various directories located on LDAP servers—not onlythe user's personal address book but also a corporate-wide directory oran Internet-wide directory such as the one available athttp://www.Four11.com.

Overview of Directory Server Architecture

A Directory Server includes the following components:

-   -   (a) A front-end responsible for network communications,    -   (b) One or more backend plug-ins for database management, and    -   (c) A basic directory tree containing server-related data.

The front-end of Directory Server manages communications with directoryclient programs. The Directory Server may be implemented as a daemonprocess on UNIX® systems and as a service on Windows-NT®. Multipleclient programs can communicate with the server in LDAP format. They cancommunicate using LDAP over both TCP/IP and SSL/TCP/IP, depending onwhether the client negotiates use of Transport Layer Security (TLS) forthe connection.

When the communication takes place with transport layer security (TLS),then it is usually encrypted. TLS can be used in conjunction withsecured DNS to provide confirmation to client applications that they arebinding to the correct server. If clients have been issued withcertificates, TLS can be used to confirm that the client has the rightsto access the server. TLS or its predecessor SSL can be used in theDirectory Server to perform security activities such as messageintegrity checks, digital signatures, and mutual authentication betweenservers.

Multiple clients can bind to the server at the same time over the samenetwork because the Directory Server is a multi-threaded application. Asdirectory services grow to include larger numbers of entries or largernumbers of clients spread out geographically, they also include multipleDirectory Servers placed in strategic locations around the network.

In an embodiment, the Directory Server relies on plug-ins. A plug-in isa way to add functionality to the core server. For example, an LDBMdatabase is a plug-in. Plug-ins can have a state, i.e., they can bepresent but disabled. A user can enable any of the plug-ins providedwith Directory Server depending upon the functionality the user wants toadd to server. In addition, custom plug-ins can be written for DirectoryServer.

Directory data is stored in an LDBM database. Advantageously, the LDBMplug-in is automatically installed with the directory server and isenabled by default. A user can make as many instances of the LDBMdatabase as needed. The LDBM database is the basic unit of storage,performance, replication, and indexing. A user can perform operationssuch as importing, exporting, backing up, restoring, and indexing on thedatabase.

In one embodiment, Directory Server uses a single database to configurea directory tree. This database can manage millions of entries. Inalternative embodiments, the database supports advanced methods ofbacking up and restoring data, so that user data is not at risk.Directory Server can support multiple databases. A user can distributedata across the databases, allowing the server to hold more data thancan be stored in a single database.

In an embodiment, the Directory Server uses a format such as the LDAPData Interchange Format (LDIF), which is a standard text-based formatfor describing directory entries. LDIF is defined in RFC 2849 and isavailable through sources such as the IETF. An LDIF-compliant directoryhas one or more directory entries separated by a blank line. An entry isa group of lines in the LDIF file that contains information about anobject, such as a person in an organization or a printer on a network.Information about the entry is represented in the LDIF file by a set ofattributes and their values. Each entry has an optional entry identifier(ID), a required distinguished name, one or more object classes, and oneor more attribute definitions. The object class is attribute thatspecifies the kind of object the entry describes and defines the set ofadditional attributes it contains. Each attribute describes a particulartrait of an entry.

The basic form of a directory entry expressed in the LDIF format is:

dn: <distinguished name> <objectclass> <object class> <objectclass><object class> ... <attribute type>[;subtype]: <attribute value><attribute type>[;subtype]: <attribute value> ...

Creating an Organizational Entry

Directories often have a top-level entry for an organization. Ingeneral, this is the first, root, or topmost entry in a directory. Theorganizational entry often corresponds to the suffix set of thedirectory. For example, if the directory is defined to use a suffix ofdc=siroe, dc=com, then the organization entry likely will be nameddc=siroe, dc=com. The LDIF specification for an organization entry hasthe form:

-   -   dn:<distinguished name>    -   objectclass: top    -   objectClass: organization    -   o: <organization name>    -   <list of attributes>    -   . . .

As an example,

-   -   dn:dc=siroe,dc=com    -   objectclass:top    -   objectclass:organization    -   o:Siroe Corporation    -   description: Fictional company for example purposes    -   telephoneNumber: 555-5555

Specifying Organization Unit Entries

Organizational unit entries are often used to represent major branchpoints, or subdirectories in a directory tree. They correspond to major,reasonably static entities within an enterprise structure, such as asubtree that contains people, or a subtree that contains groups.However, the organizational unit attribute contained in an entry canalso represent a major organization within an enterprise, such asmarketing, or engineering. There could be more than one organizationalunits, and in a typical directory tree, there usually are more than oneorganizational units.

An organizational unit can be specified in the LDIF format as follows.

-   -   dn:<distinguished name>    -   objectclass: top    -   objectclass: organizational Unit    -   ou: <organizational unit name>    -   <list of attributes>    -   . . .

As an example, the following is an organizational unit entry in the LDIFformat.

-   -   dn: ou=people, dc=siroe, dc=com    -   objectclass: top    -   objectclass: organizationalUnit    -   ou: people    -   description: fictional organizational unit for example purposes

Further, an entry might be of an object class organizationalPerson,indicating that the entry represents a person within a particularorganization. This object class might contain a givenname andtelephoneNumber attribute for the entry, giving the name and phonenumber of the person within the organization. As an example, let usconsider the object class inetOrgPerson, the schema for which is givenbelow.

TABLE Attributes of an LDAP-based inetOrgPerson Object AttributesAttribute Description Cn (Required) Defines the person's common name. Sn(Required) Defines the person's surname, or last name. BusinessCategoryIdentifies the business in which the person is involved. CarLicenseIdentifies the person's car license plate number. DepartmentNumberIdentifies the department for which the person works. DescriptionProvides a text description of the person. employeeNumber Identifies theperson's employee number. EmployeeType Identifies the person's type ofemployment (for example, full time). FacsimileTelephoneNumber Identifiesthe person's fax number. GivenName Identifies the person's given, orfirst, name. HomePhone Identifies the person's home phone number.HomePostalAddress Identifies the person's home mailing address. InitialsIdentifies the person's initials. JpegPhoto Contains an image in jpegformat. L Identifies the location in which the person resides.LabeledURI Specifies a universal resource locator that is relevant tothe person. Mail Identifies the person's electronic mailing address.Manager Distinguished name representing the person's manager. MobileIdentifies the person's mobile phone number. Ou Identifies theorganizational unit to which the person belongs. Pager Identifies theperson's pager number. PhysicalDeliveryOfficeName Identifies a locationwhere physical deliveries can be made. PostalAddress Identifies theperson's business mailing address. PostalCode Identifies the person'sbusiness postal code(such as a United States zip code). PostOfficeBoxIdentifies the person's business post office box.PreferredDeliveryMethod Identifies the person's preferred method ofcontact or delivery. RoomNumber Identifies the room number in which theperson is located. Secretary Identifies the person's secretary oradministrator. SeeAlso URL to information relevant to the person. StIdentifies the state or province in which the person resides.StreetAddress Identifies a street address at which the person islocated. Aci Identifies access control information for the person'sentry. TelephoneNumber Identifies the person's telephone number. TitleIdentifies the person's title. Uid Identifies the person's user ID.UserPassword Identifies the password with which the person can bind tothe directory. ×500UniqueIdentifier Undefined.

Directory Server also includes attributes that are read-only andcalculated by the server. These attributes are called operationalattributes. There are also some operational attributes which can be setby the administrator, for access control and other server functions.

As stated above, entries in a directory are stored in a hierarchicalstructure in the directory tree. In an LDAP-compliant directory, one canquery an entry and request all the entries below it in the directorytree. However, with Directory Server, not all entries will be returnedin response to an LDAP request. The directory tree can contain hiddenentries that don't appear when clients make requests. These entries areof the object class ldapsubentry. For example, entries used to defineroles and CoS are of the ldapsubentry type. To receive these entries,clients need to search specifically for entries of this object class.

Sometimes, the server is requested to search and retrieve entries undera given subtree of the structure. This subtree is called the basedistinguished name, or base DN. For example, if one makes an LDAP searchrequest specifying a base DN of ou=people, dc=siroe,dc=com, then thesearch operation examines only the ou=people subtree in thedc=siroe,dc=com directory tree.

Creating Target Entries

Target entries can use the inetOrgPerson, organizationalPerson, andpersonobject classes shown in the tables below. The distinguished nameentry for a user could be of the form:

-   -   cn=full name, ou=organization, . . . , o=base organization,        c=country

For example, if a target entry for Billie Holiday is created within theorganizational unit Marketing, and the directory's base DN is o=AceIndustry, c=US, then the person's DN is:

-   -   cn=Billie Holiday, ou=Marketing, o=Ace Industry, c=US

It should be noted that this format could be changed to a uid-baseddistinguished name. The values on the user form fields are stored as thefollowing LDAP attributes:

User Field Corresponding LDAP attribute Given Name givenName Surname snFull Name cn User ID uid Password userPassword E-mail Address email

Sometimes a user's name can be more accurately represented in charactersof a language other than the default language. In such cases, apreferred language for users can be specified so that their names willdisplay in the characters of the that language, even when the defaultlanguage is English. An example of a record containing textual dataabout a user can be as follows:

LDAP field Comments dn: cn = John Doe, dn = the distinguished name, theunique o = SUN, c = US key for the record. objectclass: top objectclassattributes denote the type of record. objectclass: person objectclass:organizationalPerson givenname: John givenname = the user's first name.A user can have multiple givennames. sn: Doe sn = surname, the user'slast name. Typically there is only one per record. cn: John Doe cn =common name, the name the user is typically known by in theorganization. It is traditionally part of the dn, and there is only oneper record. uid: jdoe uid = a user's id, used for authenticationpurposes. mail: guest@sun.com A user's e-mail address. There can bemultiple per record. Telephone: 202-555-1212 The user's telephonenumber. There can be multiple per record. creatorsname: uid = entadmin,The dn of the user who o = SUN, c = US created this record.createtimestamp: 20000225160825Z The time when record description: Thisentry was was created, in GMT. modified with the LWLDAP program A notefield; can be by jdoe at 05 Mar. 2000 7:35:22 AM anything and there canbe multiple entries per record. userpassword: The user's password;{SHA}NWdeaPS1r3uZXZIFrQ/EOELxZFA this example is stored in secure hashalgorithm format, but can be stored in clear-text or MD5 hash format.modifytimestamp: 20000313201039Z The time when record was last modified,in GMT. modifiersname: uid = entadmin, The dn of the user who o = SUN, c= US modified this record. title: Sales Representative The title of theuser

Each record can be thought of as an object. User objects can belong togroups of unique members (such as organizational units); groups can inturn belong to other groups.

The dn usually contains at least the user's first and last names (commonname, “cn”), the organizational unit (“ou”) the user belongs to, and thebase field of the user's organization's hierarchy (known as thedirectory base, consisting of the organization name, “o,” and country,“c”). One could also include a user's id or social security number orsome other field to help provide uniqueness to a given dn. Here's anexample of such a dn:

-   -   cn=John Doe+uid=jdoe,ou=ACS,o=SUN,c=US

If no special attributes are specified in the dn like uid or ou, the dnis assumed to be at the top of the hierarchy.

Searching a Directory

Most Directory servers provide a publicly accessible search interfacethat a client can interact with. The Directory specification allows forboolean, wildcard, and case-insensitive searching. The Directory searchsyntax currently is obscure and arcane, so it does take some time to getused to. A search can have two steps. As a first step, a hierarchy,called the search base, is specified. An example of a search base is asfollows.

-   -   Search Base: o=SUN,c=US        All the searches will start from our search base, which in this        case is the root of the SUN (Sun Microsystems, Inc.) Directory        server hierarchy. As a second step, a search filter is        specified. Some examples of filters are as follows.    -   cn=John Doe    -   sn=Do*    -   (&(cn=Jo* Doe)(ou=Accounting))        The first filter will look for a common name (“cn”) matching        John Doe. The second filter will search the Directory server for        all users that have a last name (“sn”) with “Do” as the first        two letters. It will return Doe, Dogbert, and Doughtery, but not        Plado. The third filter, an example of a boolean AND search,        will return all users who have a first name that starts with        “Jo” and a last name of Doe that are a part of the        organizational unit (“ou”) Accounting. The boolean Directory        server operators are & for AND, | for OR, and ! for NOT. Notice        that in an embodiment, the operator is placed first inside a        group of parentheses.

The code sample below is a Java programming language method that takes asearch base, a user name, and an attribute to search for, and returns anarray of any matches it finds.

public synchronized String[ ] getAttrib(String searchBase, Stringusername, String attribute){ // Returns an array of attributes. String[ ] myAttrib= null; try{ // Sets up the Directory server filter. StringMY_FILTER= “(l(uid=“+username+”)(cn=“+username+”))”; // Sets up to passback only the attribute(s) wanted String[ ] attrNames = { attribute };if ( searchBase = = null ){ searchBase = MY_SEARCHBASE; } // Performsthe actual search. LDAPSearchResults res = ld.search(searchBase,LDAPv2.SCOPE_SUB, MY_FILTER, attrNames, false); /* Loops on resultsuntil finished; will only be one! */ if (res.hasMoreElements( ) ) {LDAPEntry findEntry = (LDAPEntry)res.nextElement( ); /* Gets theattributes of the entry. */ LDAPAttributeSet findAttrs =findEntry.getAttributeSet( ); Enumeration enumAttrs =findAttrs.getAttributes( ); /* Loops on attributes. */ while (enumAttrs.hasMoreElements( ) ) { LDAPAttribute anAttr =(LDAPAttribute)enumAttrs.nextElement( ); String attrName =anAttr.getName( ); if ( attrName.equals(attribute) ) { EnumerationenumVals = anAttr.getStringValues( ); Vector myVector = new Vector( );while (enumVals.hasMoreElements( )){ myVector.addElement((String)enumVals.nextElement( )); } myAttrib = new String[myVector.size( )];try{ // Will speed up stepping through enumVals. for(int i=0;;i++){myAttrib[i] = (String)myVector.elementAt(i); } }catch(ArrayIndexOutOfBoundsException z) {} } } } } catch (LDAPExceptione) { switch( e.getLDAPResultCode( ) ) { case e.NO_SUCH_OBJECT:System.out.println( “The specified user does not exist.” ); casee.INVALID_CREDENTIALS: System.out.println(“Invalid password for user: ”+username): default: System.out.println(e.toString( )); } } returnmyAttrib; }

Creating an LDAP Application

An directory client application generally follows these steps wheninteracting with a Directory server:

-   -   1. initializing a session with a Directory server    -   2. authenticating itself to the Directory server    -   3. performing operations    -   4. closing the connection to the Directory server

Initializing a Session with a Directory Server

During initialization, as shown in the code below (listing), a number ofvariables need to be set for the client environment. The defaultlistening port is 389 if SSL is not used, and 636 if SSL is used.

// Set to your Directory server host. project.host =“directory.phoenixgroup.com”; // Set to Directory Server port.project.port = 389; // Set to directory base. project.searchBase =“o=Phoenix Group,c=US” // Set to the distinguished name. project.mgr_dn= “cn=SSJS LDAP,ou=Information Services,o=Phoenix Group,c=US” // Set tothe password for the DN. // May be blank for mgr_dn & mgr_pw ifdirectory allows anonymous searches. project.mgr_pw = “<MGR DNPASSWORDS>” // Grab an LDAP connection. var ldap = connect(project.host,parseInt(project.port), project.searchBase, project.mgr_dn,project.mgr_pw); if (ldap = = null){ // Connection could not be made.write(“Failed to connect to Directory server. See error log or JavaConsole<br>”);} else{ // Store the connection in the project object. */project.ldap = ldap; redirect(“home.htm”); } In a start page (login.htm)the following lines of code can be included, which checks for theexistence of “project.ldap” and redirects back to this page if needed.if (project.ldap = = void(0)){ redirect(‘init.htm’); // The redirect atthe end of the code is irrelevant when this // initial page is calledduring application or server startup. }

Authenticating the Client to the Directory Server

When a client application establishes a connection with a Directoryserver, the client application has the option to connect as anauthenticated user or anonymously. To perform certain directoryoperations (such as password checking or changing a record's attribute),the client application must be an authenticated user. In some instancesa client is granted extra rights depending on the group of which it is apart.

When a client application authenticates itself to a Directory serverdatabase, the Directory server API expects the call to be in the form ofa user's dn and password. Users can't be expected to remember their fulldn but they can usually provide their user id. Directory server-basedauthentication usually performs a search to retrieve the user's dn andthen make an “authenticate” method call, as shown in the code samplebelow.

var passwd = request.pwd; var login =authenticate(project.ldap,user,passwd); debug(‘<B>’+user+‘</B>’);debug(‘<B>’+passwd+‘</B>’); debug(‘<B>’+login+‘</B>’); if (login = =true){ client.user = user; // I'm doing this instead of a redirect.write(‘<FORM NAME=“redir” ACTION=“attrib.htm” METHOD=POST>’);write(‘<INPUT TYPE=“hidden” NAME=“junk”>’); //Need at least one field.write(‘</FORM>’); } else{ // a redirect is simulated 'cause the valuesare not desired to be passed on the URL line write(‘<FORM NAME=“redir”ACTION=“login.htm” METHOD=POST>’); write(‘<INPUT TYPE=“hidden”NAME=“relogin” VALUE=“YES”>’); write(‘<INPUT TYPE=“hidden” NAME=“badpw”VALUE=“YES”>’); write(‘</FORM>’); }

Performing Directory Operations and Disconnecting from the DirectoryServer

While most data in a Directory server is in a binary format, most of auser's interaction with the Directory server in an intermediate dataformat called LDAP Data Interchange Format (LDIF). This is an ASCII textrepresentation meant to foster the ability to transfer LDAP data betweenservers such as an LDAP-compliant Directory server and to manipulateDirectory server records with a variety of clients. The code below showshow to change a user's password.

user = client.user; oldpw = request.oldpw; newpw = request.newpw; newpw2= request.newpw2; if (newpw != newpw2){ redirect(“changepw.htm”); }else{ var goodpw = authenticate(project.ldap,user,oldpw); if (goodpw = =true){ // Change password will also test changeAttrib because //changePW is actually a wrapper to that method. var didChange =changePW(project.ldap,user,user,newpw); if (didChange = = true){write(“Password changed for user: ”+user); write(“<br><ahref=\”home.htm\“>Login as a different user</a>”); } else{write(“***ERROR*** Password change failed. Check error logs.”);} } else{redirect(“changepw.htm”); } }

Although the foregoing description includes some embodiments of theprinciples of a new and useful system, one skilled in the art willreadily appreciate that modifications and rearrangements can be made tothose set forth herein without departing from the spirit and scope ofthe disclosure or without undue experimentation. Accordingly, thefollowing claims should be construed to encompass such modifications andrearrangements.

1. A computer-implemented method, comprising: storing, by a directoryserver: one or more directory entries comprising respectiveattribute-value pairs; a role definition indicating one or more valuesof one or more attribute-value pairs that a directory entry mustcomprise to possess the role; determining by the directory server, thata given one of the directory entries possesses the role, wherein saiddetermining comprises determining that the given directory entrycomprises the one or more values for the one or more attribute-valuepairs indicated by the role definition; in response to determining thatthe given directory entry possesses the role, the directory serversetting the value of a predetermined attribute-value pair of the givendirectory entry to indicate that the directory entry possesses the role;and servicing by the directory server, a client request wherein saidservicing is dependent on the set value of the predeterminedattribute-value pair.
 2. The method of claim 1, wherein said determiningand said setting are performed in response to receiving a request forthe value of the value of the predetermined attribute-value pair for thegiven one of the directory entries.
 3. The method of claim 1, furthercomprising creating, in response to a request, the role definition entryin the directory server.
 4. The method of claim 3, wherein the roledefinition entry comprises an indication that the requested role is amanaged role.
 5. The method of claim 3, wherein the role definitionentry comprises a distinguished name of the role.
 6. The method of claim1, further comprising: determining a scope for the role; wherein saiddetermining comprises accessing the role definition entry for the role;and wherein said determining that the given one of the directory entriespossesses the role is contingent on determining that the given one ofthe directory entries is within the scope of the role.
 7. The method ofclaim 6, wherein said determining a scope and determining that the givenone of the directory entries possesses the role are performed inresponse to receiving a request for determining if the given one of thedirectory entries possesses the role.
 8. The method of claim 1, furthercomprising: further modifying the value of the predeterminedattribute-value pair, wherein the newly modified value indicates thatthe entry does not possess the role.
 9. The method of claim 8, whereinsaid further modifying the value is performed in response to receiving arequest for revoking the role from an entry of the directory server. 10.The method of claim 1, further comprising: for each of one or moreentries of the directory server, wherein the one or more entries arewithin a scope of the role: determining if the respective value of thepredetermined attribute-value pair associated with the directory entryindicates that the entry possesses the role.
 11. The method of claim 10,wherein said determining for one or more entries is performed inresponse to receiving a request for enumerating the entries of adirectory server that possess the role.
 12. A computer-implementedmethod, comprising: storing, by a directory server, one or moredirectory entries comprising respective attribute-value pairs;receiving, by the directory server, a request for creating a role; andin response to said receiving, creating, for the role, a role definitionentry in a directory server, wherein the role definition entry comprisesa distinguished name of the role and an indication of one or more valuesof one or more attribute value pairs that a directory entry mustcomprise to possess the role.
 13. The method of claim 12, furthercomprising: in response to determining that a target one of thedirectory entries possesses the role: determining a distinguished nameof the role dependent on the role definition entry for the role; andadding the distinguished name of the role to a predetermined attributeof the target entry, wherein the predetermined attribute specifies theroles which the target entry possesses.
 14. The method of claim 12,further comprising: in response to receiving a request for determiningif a target one of the directory entries possesses the role: determininga scope of the role, wherein said determining a scope comprisesaccessing the role definition entry for the role; determining that thetarget entry is within the scope of the role and in response:determining a distinguished name of the role from the role definitionentry for the role; and determining whether a predetermined attribute ofthe target entry includes the distinguished name of the role, whereinthe predetermined attribute specifies the roles which the target entrypossesses.
 15. The method of claim 13, further comprising: in responseto receiving a request for revoking the role from the target entry ofthe directory server: determining a distinguished name of the role fromthe role definition entry for the role; and removing the distinguishedname of the role from a predetermined attribute of the target entry,wherein the predetermined attribute specifies the roles which the targetentry possesses.
 16. The method of claim 13, further comprising: inresponse to receiving a request for enumerating the entries of adirectory server that possess the role: determining a distinguished nameof the role; wherein said determining comprises accessing the roledefinition entry for the role; and determining a scope of the role;wherein said determining comprises accessing the role definition entryfor the role; determining one or more target entries of the directoryserver within the scope of the role; and for each of the one or moretarget entries within the scope of the role: computing a calculatedattribute specifying one or more roles which the target entry possesses;and determining if the calculated attribute includes the distinguishedname of the managed role.
 17. A device, comprising: a processor; and amemory coupled to the processor, wherein the memory comprises programinstructions executable by the processor to implement a directory serverconfigured to: store one or more directory entries comprising respectiveattribute-value pairs; store a role definition indicating one or morevalues of one or more attribute-value pairs that a directory entry mustcomprise to possess the role; determine that a given one of thedirectory entries possesses the role, wherein said determining comprisesdetermining that the given directory entry comprises the one or morevalues for the one or more attribute-value pairs indicated by the roledefinition; for a predetermined attribute/value pair associated with thedirectory entry, in response to determining that the given directoryentry possesses the role, setting the value of a predeterminedattribute-value pair of the given directory entry to indicate that thedirectory entry possesses the role; and service a client request,wherein said servicing is dependent on the set value of thepredetermined attribute-value pair.
 18. The device of claim 17 whereinsaid determining and said setting are performed in response to receivinga request for the value of the value of the predeterminedattribute-value pair for the given one of the directory entries.
 19. Thedevice of claim 17, wherein the program instructions are furtherexecutable to create, in response to a request, the role definitionentry in the directory server.
 20. The device of claim 19, wherein therole definition entry comprises an indication that requested role is amanaged role.
 21. The device claim 19, wherein the role definition entrycomprises a distinguished name of the role.
 22. The device of claim 17,wherein the program instructions are further executable to: determine ascope of the role; wherein said determining comprises accessing the roledefinition entry for the role; and wherein said determining that thegiven one of the directory entries possesses the role is contingent ondetermining that the given one of the directory entries is within thescope of the role.
 23. The device of claim 22, wherein said determininga scope and determining that the given one of the directory entriespossesses the role are performed in response to receiving a request fordetermining if the given one of the directory entries possesses therole.
 24. The device of claim 17, wherein the program instructions arefurther executable to: further modify the value of the predeterminedattribute-value pair, wherein the newly modified value indicates thatthe entry does not possess the role.
 25. The device of claim 24, whereinsaid further modifying the value is performed in response to: receivinga request for revoking the role from an entry of the directory server.26. The device of claim 17, wherein the program instructions are furtherexecutable to: for each of the one or more entries of the directoryserver within a scope of the role: determine if the respective value ofthe predetermined attribute-value pair associated with the directoryentry indicates that the entry possesses the role.
 27. The device ofclaim 26, wherein said determining for one or more entries is performedin response to: receiving a request for enumerating the entries of adirectory server that possess the role.
 28. A device, comprising: aprocessor; and a memory coupled to the processor, wherein the memorycomprises program instructions executable by the processor to: store, bya directory server, one or more directory entries comprising respectiveattribute-value pairs; receive, by the directory server, a request forcreating a role; and in response to said receiving, create, for therole, a role definition entry in a directory server, wherein the roledefinition entry comprises a distinguished name of the role and anindication of one or more values of one or more attribute value pairsthat a directory entry must comprise to possess the role.
 29. The deviceof claim 28, wherein the program instructions are further executable bythe processor to: determine that a target one of the directory entriespossesses the role; and in response: determine the distinguished name ofthe role; wherein said determining comprises accessing the roledefinition entry for the role; and add the distinguished name of therole to a predetermined attribute of the target entry, wherein thepredetermined attribute specifies the roles which the target entrypossesses.
 30. The device of claim 29, wherein in response to receivinga request for determining if a target one of the directory entriespossesses the role, the program instructions are further executable bythe processor to: determine a scope of the role, wherein saiddetermining a scope comprises accessing the role definition entry forthe role; determine that the target entry is within the scope of therole and in response: determine a distinguished name of the role fromthe role definition entry for the role; and determine whether apredetermined attribute of the target entry includes the distinguishedname of the role, wherein the predetermined attribute specifies theroles which the target entry possesses.
 31. The device of claim 29,wherein in response to receiving a request for revoking the role fromthe target entry of the directory server the program instructions arefurther executable by the processor to: determine the distinguished nameof the role from the role definition entry for the role; and remove thedistinguished name of the role from a predetermined attribute of thetarget entry, wherein the predetermined attribute specifies the roleswhich the target entry possesses.
 32. The device of claim 29, wherein inresponse to receiving a request for enumerating the entries of adirectory server that possess the role the program instructions arefurther executable by the processor to: determine the distinguished nameof the role; wherein said determining comprises accessing the roledefinition entry for the role; and determine a scope of the role;wherein said determining a scope comprises accessing the role definitionentry for the role; determine one or more target entries of thedirectory server within the scope of the role; and for each of the oneor more target entries within the scope of the role: compute acalculated attribute specifying one or more roles which the target entrypossesses; and determine if the calculated attribute includes thedistinguished name of the managed role.
 33. A computer-readable storagemedium storing program instructions computer-executable to implement:storing, by a directory server: one or more directory entries comprisingrespective attribute-value pairs; a role definition indicating one ormore values of one or more attribute-value pairs that a directory entrymust comprise to possess the role; determining by the directory server,that a given one of the directory entries possesses the role, whereinsaid determining comprises determining that the given directory entrycomprises the one or more values for the one or more attribute-valuepairs indicated by the role definition; in response to determining thatthe given directory entry possesses the role, the directory serversetting the value of a predetermined attribute-value pair of the givendirectory entry to indicate that the directory entry possesses the role;and servicing by the directory server, a client request wherein saidservicing is dependent on the set value of the predeterminedattribute-value pair.
 34. The computer-readable storage medium of claim33, wherein said determining and said setting are performed in responseto receiving a request for the value of the value of the predeterminedattribute-value pair for the given one of the directory entries.
 35. Thecomputer-readable storage medium of claim 33, wherein the programinstructions are further computer-executable to implement creating, inresponse to a request, the role definition entry in the directoryserver.
 36. The computer-readable storage medium of claim 35, whereinthe role definition entry comprises an indication that requested role isa managed role.
 37. The computer-readable storage medium of claim 35,wherein said creating is performed in response to a request to createthe role.
 38. The computer-readable storage medium of claim 33, whereinthe program instructions are further computer-executable to implement:determining a scope of the role; wherein said determining a scopecomprises accessing the role definition entry for the role; and whereinsaid determining that the given one of the directory entries possessesthe role is contingent on determining that the given one of thedirectory entries is within the scope of the role.
 39. Thecomputer-readable storage medium of claim 38, wherein said determining ascope and determining that the given one of the directory entriespossesses the role are performed in response to receiving a request fordetermining if the given one of the directory entries possesses therole.
 40. The computer-readable storage medium of claim 33, wherein theprogram instructions are further computer-executable to implement:further modifying the value of the predetermined attribute-value pair,wherein the newly modified value indicates that the entry does notpossess the role.
 41. The computer-readable storage medium of claim 40,wherein said further modifying the value is performed in response to:receiving a request for revoking the role from an entry of the directoryserver.
 42. The computer-readable storage medium of claim 33, whereinthe program instructions are further computer-executable to implement:for each of one or more entries of the directory server, wherein the oneor more entries are within a scope of the role: determining if therespective value of the predetermined attribute-value pair associatedwith the directory entry indicates that the entry possesses the role.43. The computer-readable storage medium of claim 42, wherein saiddetermining for one or more entries is performed in response to:receiving a request for enumerating the entries of a directory serverthat possess the role.
 44. A computer-readable storage medium storingprogram instructions computer-executable to implement: storing, by adirectory server, one or more directory entries comprising respectiveattribute-value pairs; receiving, by the directory server, a request forcreating a role; and in response to said receiving, creating, for therole, a role definition entry in a directory server, wherein the roledefinition entry comprises a distinguished name of the role and anindication of one or more values of one or more attribute value pairsthat a directory entry must comprise to possess the role.
 45. Thecomputer-readable storage medium of claim 44, wherein the programinstructions are further computer-executable to implement: in responseto determining that a target one of the directory entries possesses therole: determining a distinguished name of the role dependent on the roledefinition entry for the role; and adding the distinguished name of therole to a predetermined attribute of the target entry, wherein thepredetermined attribute specifies the roles which the target entrypossesses.
 46. The computer-readable storage medium of claim 44, whereinin response to receiving a request for determining if a target one ofthe directory entries possesses the role, the program instructions arefurther computer-executable to implement: determining a scope of therole, wherein said determining a scope comprises accessing the roledefinition entry for the role; determining that the target entry iswithin the scope of the role and in response: determining adistinguished name of the role from the role definition entry for therole; and determining whether a predetermined attribute of the targetentry includes the distinguished name of the role, wherein thepredetermined attribute specifies the roles which the target entrypossesses.
 47. The computer-readable storage medium of claim 45, whereinin response to receiving a request for revoking the role from the targetentry of the directory server the program instructions are furthercomputer-executable to implement: determining a distinguished name ofthe role from the role definition entry for the role; and removing thedistinguished name of the role from a predetermined attribute of thetarget entry, wherein the predetermined attribute specifies the roleswhich the target entry possesses.
 48. The computer-readable storagemedium of claim 45, wherein in response to receiving a request forenumerating the entries of a directory server that possess the role theprogram instructions are further computer-executable to implement:determining a distinguished name of the role; wherein said determiningthe distinguished name comprises accessing the role definition entry forthe role; and determining a scope of the role; wherein said determininga scope comprises accessing the role definition entry for the role;determining one or more target entries of the directory server withinthe scope of the role; and for each of the one or more target entrieswithin the scope of the role: computing a calculated attributespecifying one or more roles which the target entry possesses; anddetermining if the calculated attribute includes the distinguished nameof the managed role.